Chaos Theory and Ransomware's Love Child Serves Up Nonstop Unpredictability
Long the province of Russian criminals operating beyond the reach of law enforcement, numerous ransomware campaigns now trace to reckless Western teenagers who have adopted an ethos of "whatever works."
See Also: Disaster-Proof Your Directory: Identity Recovery for Federal, State & Local Agencies
Many organize under the banner of Scattered Lapsus$ Hunters, a loose collective that emerged from the cybercrime community The Com, and specialize in a variety of both technical and non-technical tactics. These include using social engineering and technical expertise against help desks, as well as a propensity for targeting enterprise applications built by the likes of Oracle, SAP and Salesforce.
These homegrown hackers appear to have no compunction about disrupting major businesses, leaving companies and jobs at risk, despite some of the criminals already being cryptocurrency millionaires many times over. Claimed victims lately listed by the group include major retailers, airlines and insurers, as well as Home Depot, Marriott, the National Bank of Canada and Tata Motors' Jaguar Land Rover.
Rather than being a pure-play ransomware-as-a-service operation focused on infecting endpoints with malware and demanding a ransom, or specializing instead in ransoming stolen data after mass hack attacks, Scattered Lapsus$ Hunters has demonstrated a flexibility that bends to whatever appears to be the most lucrative option available.
Group members' penchant for semi-coherent rants, over-the-top self-publicity and skill at sowing chaos could be a side effect of the late adolescence most of the hackers have only just exited or are still navigating.
It could also be an execution - knowing or not - of the "madman theory," which is again having a moment. The theory holds that threats made by someone in a leadership position who appears to be crazy are more likely to wring concessions from adversaries. First used to describe U.S. President Richard Nixon, and lately President Donald Trump, foreign policy experts continue to debate its effectiveness. It hinges on someone really, truly believing their adversary is absolutely crazy and deciding to proffer concessions rather than stir even more craziness.
There's no denying that the group has grown in technical sophistication and the ability to extract extortion money from victims.
"What began as noise and theatrics has evolved into a coordinated cybercrime ecosystem, blending initial-access brokerage, insider recruitment, ransomware collaborations and targeted leaks across global enterprises," said threat intelligence firm FalconFeeds.
All of this activity "blurs the line between social-engineering gangs and mature intrusion operations, proving that access is the new payload," it said.
Hack attacks as well as shakedown efforts also demonstrate an unusual degree of unpredictability, bolstered by the group not only targeting vendors and victims, but also the cybersecurity researchers and law enforcement agencies hunting them.
Witness Scattered Lapsus$ Hunters this week leaking "apparent phone numbers and addresses" for hundreds of U.S. government officials, featuring more than 600 from the Department of Homeland Security, including FBI and Immigration and Customs Enforcement agents, as 404 Media first reported.
That followed the group threatening to release last week data stolen from 39 customers of Salesloft who integrated the chatbot AI tools with their Salesforce instance, unless they paid a ransom. After the FBI and French law enforcement began disrupting the group's ad hoc data leak sites, the criminals ended up leaking CRM data stolen from six victims and announcing that would be all.
Not long before, cybersecurity journalist Brian Krebs reported receiving a message signed by elements of Scattered Spider, Lapsus$ and ShinyHunters, demanding he visit a page on the Limewire file-sharing site to view their demands.
Instead, Krebs forwarded the message to Google Cloud's Mandiant incident response group, which found it led to a Windows trojan - "a commercially available backdoor known as Asyncrat" - disguised as a screenshot, which if viewed would automatically execute. Mandiant told Krebs its researchers were similarly targeted.
That followed the group in late August previewing the launch of a ransomware-as-a-service program called "ShinySp1d3r RaaS," which if true would stand as "the first major RaaS from English-speaking cybercriminals," said cybersecurity firm ReliaQuest.
"This service has not yet been formally released, but if it is, it will mark a major shift for English-speaking, Western-based cybercriminals, who have traditionally relied on Russian-speaking ransomware providers like DragonForce, Alphv and RansomHub that are often hesitant to collaborate with English speakers or demand a deposit as a sign of trust due to operational security concerns," it said.
This level of volatility seems more believable when it comes from ransomware-wielding teens. They continue to set a low bar, including in their targeting of the likes of healthcare providers and fellow children.
London's Metropolitan Police on Oct. 7 arrested two 17-year-olds in England as part of their probe into the theft of photographs, names and addresses pertaining to 8,000 children from the Kido nursery chain. A new group calling itself Radiant last month leaked 10 of those stolen images of children, demanding $800,000 from Kido to not leak more.
To be clear, this group has no known ties to the Scattered et al crew, but demonstrates groups' collective lack of limits, which likely help drive at least some victims to pay. And the takings are huge: Just one accused Scattered Spider member, Thalha Jubair, 19, has been charged with controlling $36 million in cryptocurrency received from ransom payments (see: Scattered Spider Sting: 2 English Teens Charged With Attacks).
While such potential largesse appears to keep attracting more fresh-faced Western teenagers, that's only part of the equation.
British cybersecurity expert Kevin Beaumont points a finger squarely at the propensity of large businesses to cover up their underlying data breaches at the hands of these "advanced persistent teenagers" by paying massive ransoms in return for their silence.
"Teens then spend the bitcoin on exploits" - plus, in one case he cites, also using stolen crypto to order pizza to their grandparent's house - which leaves society in the position of being "in a race to the bottom to arm teens with rocket launchers," he said in a post to social platform Mastodon.
Clearly, these teenagers need their funding cut off, although that happening anytime soon remains wishful thinking.
What's left? Organizations need to keep refining their defenses in light of the latest strategies being wielded by these groups.
On the upside, cybersecurity firms are getting better at documenting attackers' playbooks, and their often repeat targeting focusing on a single sector at a time. This can buy time for others, provided they pursue more defense in depth. "The focus must now extend beyond endpoints and infrastructure to identity protection, credential monitoring and insider-risk detection," FalconFeeds said.
Add to that the need to also educate employees about how attackers operate - not least over the phone. In other words, countering attacks that may feel like "everything, everywhere, all at once," and which seemingly may involve every last tool but the kitchen sink, requires not just tooling and workflows designed to arrest such attacks, but also cultivating a more paranoid defensive mindset among employees backed by a top-down mandate empowering them to "see something, say something."
Or in the words of threat intelligence firm Resecurity: "Prompt action and heightened vigilance are essential to mitigate potential damages."